Tuesday Feb 19, 2013

Oracle today released the updated February 2013 Critical Patch Update for Java SE.As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th.Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.

All but one of the vulnerabilities fixed today apply to client deployment of Java.This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers.Three of these vulnerabilities received a CVSS Base Score of 10.0.As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System.

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE).This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169).This vulnerability has received a CVSS Base Score of 4.3.

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014.

As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE.Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date.

This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn’t be released on February 1st.A new Critical Patch Update Advisory will also be published on February 19th on http://www.oracle.com/technetwork/topics/security/alerts-086861.html to include information about the additional fixes being released.

Note that Critical Patch Updates for Java SE are cumulative.As a result, organizations that may not have applied the February 1st release will be able to apply the updated Critical Patch Update when it is published, and will then gain the benefit of all previously released Java SE fixes.As usual, desktop users will be able to install this new version from java.com or through the Java autoupdate.

Friday Feb 01, 2013

Oracle just released the February 2013 Critical Patch Update for Java SE.The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java; that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components.In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE).

The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0.This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.

This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments.This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment.

The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.Note however that, as stated in a previous blog entry, Oracle reports the most severe CVSS Base Score.

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.The "high" security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute "silently").As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned.After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers.The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.